diff --git a/files/etc/systemd/user/move_old_logs.timer b/files/etc/systemd/user/move_old_logs.timer
new file mode 100644
index 0000000000000000000000000000000000000000..f0b9b8329e81ca2990c2eca8ce8fa05632c399f0
--- /dev/null
+++ b/files/etc/systemd/user/move_old_logs.timer
@@ -0,0 +1,6 @@
+[Unit]
+Description=timer for move_old_logs.service
+[Timer]
+# run once a year, on the 1st of January at 05:00:00am.
+OnCalendar=*-1-1 05:00:00
+Unit=move_old_logs.service
diff --git a/files/move_old_logs.sh b/files/move_old_logs.sh
new file mode 100644
index 0000000000000000000000000000000000000000..141043f195df7caaca0242400242affcb52b7801
--- /dev/null
+++ b/files/move_old_logs.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+# This script is intended to be run regularly and move logfiles from previous
+# years to an archive directory. Logfiles from the current year are NOT moved,
+# so they can be easily found.
+
+START_YEAR="2015"
+CURRENT_YEAR="$( date +%Y )"
+PREVIOUS_YEAR="$(( CURRENT_YEAR - 1 ))"
+
+cd "/var/log/subapp/${HOSTNAME}/" || exit 1
+
+# create directories for old logfiles
+for YEAR in ${START_YEAR}..${PREVIOUS_YEAR}; do
+	mkdir -p "old/${YEAR}"
+done
+
+# move all old logfiles
+for YEAR in ${START_YEAR}..${PREVIOUS_YEAR}; do
+	mv "Protokoll_SLUBArchiv_Erfolgreich-${YEAR}*.log" "old/${YEAR}/"
+	mv "Protokoll_SLUBArchiv_FEHLER-${YEAR}*.log" "old/${YEAR}/"
+	mv "sips.log.${YEAR}-*.lz" "old/${YEAR}/"
+	mv "subapp.log.${YEAR}-*.lz" "old/${YEAR}/"
+	mv "webservice.log.${YEAR}-*.lz" "old/${YEAR}/"
+done
diff --git a/handlers/main.yml b/handlers/main.yml
index 18dca89f5c02a34988a5c1ecf13528a6e6b254af..d6cd015af7112c7d9c2be6665e2406ae0bfd1e3c 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -42,3 +42,6 @@
 - name: create PIDfiles
   command: systemd-tmpfiles --create
 
+- name: daemon-reload
+  systemd:
+    daemon_reload: true
diff --git a/tasks/install_move_logs.yml b/tasks/install_move_logs.yml
new file mode 100644
index 0000000000000000000000000000000000000000..29985131abb85c1fcb5a9d96902cd8cd12dc5f52
--- /dev/null
+++ b/tasks/install_move_logs.yml
@@ -0,0 +1,29 @@
+---
+- name: install timer and script for moving old logs to archive
+  ansible.builtin.copy:
+    src: "{{ item.path }}"
+    dest: "/{{ item.path }}"
+    mode: "{{ item.mode }}"
+    owner: "{{ item.owner | default('root') }}"
+    group: "{{ item.group | default('root') }}"
+  loop:
+    - path: "etc/systemd/user/move_old_logs.timer"
+      mode: "0644"
+    - path: "usr/local/bin/move_old_logs.sh"
+      mode: "0755"
+  notify: daemon-reload
+
+- name: install service for moving old logs to archive
+  ansible.builtin.template:
+    src: "etc/systemd/user/move_old_logs.service.j2"
+    dest: "/etc/systemd/user/move_old_logs.service"
+    mode: 0755
+    owner: "root"
+    group: "root"
+  notify: daemon-reload
+
+- name: enable timer for moving old logs to archive
+  ansible.builtin.systemd:
+    name: "move_old_logs.timer"
+    state: started
+    enabled: true
diff --git a/tasks/main.yml b/tasks/main.yml
index fd82728995e0b596795f2a7a32f46e4caa562350..192bd59975b44b37b12f9f01d13707648982886a 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -65,6 +65,10 @@
   import_tasks: "install_ta_tools.yml"
   tags: [ta, apt]
 
+- name: install scripts and services for moving old logs to archive
+  import_tasks: "install_move_logs.yml"
+  tags: [log, cleanup]
+
 - name: cleanup remainders of METS-based SubApp
   import_tasks: cleanup_legacy.yml
   tags: [cleanup]
diff --git a/templates/etc/systemd/user/move_old_logs.service.j2 b/templates/etc/systemd/user/move_old_logs.service.j2
new file mode 100644
index 0000000000000000000000000000000000000000..86f890db576852f0f0bdc38c772265bbe2f6cccb
--- /dev/null
+++ b/templates/etc/systemd/user/move_old_logs.service.j2
@@ -0,0 +1,33 @@
+[Unit]
+Description=move_old_logs.sh
+After=remote-fs.target
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/move_old_logs.sh
+User={{ vault_subapp_user }}
+Group={{ vault_subapp_group }}
+
+### Security features
+# documented at https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+ProtectSystem=strict
+ProtectHome=read-only
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+## RemoveIPC=true
+## PrivateMounts=true
+## MountFlags=
+## SystemCallFilter is a Whitelist!!!
+#SystemCallFilter=@debug,@file-system
+#SystemCallErrorNumber=1337
+
+[Install]
+WantedBy=multi-user.target